[Openswan Users] Using x.509 certificates without CA - INVALID_KEY_INFORMATION

elison.niven at gmail.com elison.niven at gmail.com
Sat May 14 02:23:21 EDT 2011

Hi list,

I am trying to setup IPSEC connections between two machines using
x.509 certificates without using a CA.

On each machine I created the keys and the certificate like this :
# openssl genrsa -des3 -out west.key 1024
# openssl req -new -key west.key -x509 -out west.cert

ipsec.conf on both machines is similar :
conn temp

The certificates west.cert and east.cert are placed in
/etc/ipsec.d/certs on both machines and each machine has its own
private key at /etc/ipsec.d/private/

ipsec.secrets on both machines is similar (change west to east etc):
: RSA west.key 'passphrase'

The error I am getting on giving ipsec auto --up temp is

The openswan wiki quick problem solving guide says :

Cause: Openswan did receive a key, but could not establish its
authenticity. With certificates, it might mean that not all CA
certificates in the certificate chain are in /etc/ipsec.d/cacerts.
FIXME(I do not know too much about the other auth methods): with
dnssec, maybe the DNS is unreacheable, or does not contain the
necessary data.

I have not used any CA to sign the certificates. Is this valid with
openswan? I am using 2.6.33 on one machine and 2.6.32 on another. Both
are using the NETKEY stack.
Is it necessary to sign the certificates by a CA? How can I establish
a connection using certificates without a CA?

Best Regards,

More information about the Users mailing list